On December 16th, 2019 the EU Directive on the protection of persons who report breaches of Union law entered into force. Member States are required to transpose the Directive into national laws until December 17, 2021.
The scope of the Directive is immense. It regulates the subject matter throughout the continent which is home to 450 million citizens and 22.5 million SMEs, many of which will be directly impacted by the Directive.
The Directive requires legal entities to establish internal reporting channels and internal procedures for receiving and following up on reports. Here are some of the main takeaways for practitioners.
WHICH LEGAL ENTITIES ARE AFFECTED?
General thresholds to behold are 50 workers and/or 10.000 inhabitants. The Directive requirement applies to legal entities in the private sector with at least 50 workers. In some sectors this threshold does not apply at all and internal channels are mandatory regardless of the workforce size.
In the public sector the internal reporting channel requirement applies to all legal entities. However, one will also need to refer to national law, as Member States are allowed to make exemptions from this general rule. I.e. they may
exempt municipalities with fewer than 10.000 inhabitants or 50 workers, as well as other public sector entities with fewer than 50 workers.
DO INTERNAL REPORTING CHANNELS NEED TO BE ACCESSIBLE TO GENERAL PUBLIC?
The internal reporting channel is required to be made available to entity’s workers.
The Directive itself does not require the internal channel to be made available also to other persons (e. g. suppliers, subcontractors…) to report information on breaches. However, the latter may at any time submit their reports through external reporting channels. The use of these is not conditioned upon the prior use of internal reporting channels.
WHAT ABOUT THE ANONYMOUS REPORTING?
There is no general requirement in the Directive to accept and follow-up on anonymous reports of breaches. The Member States are free to decide whether to introduce such a requirement in their national laws or not. However, the decision to accept and follow-up only on reports with disclosed identities of reporting persons may prove challenging. Namely, the identification confirmation methods are limited and present an additional barrier for a whistle- blower. Moreover, such an approach is not in line with the best practice. Not accepting a report only because it was made anonymously and regardless of its contents makes little sense. Quite often remaining anonymous might be the best and in effect the only protection for the reporting person against retribution.
MAY THE IDENTITY OF REPORTING PERSON BE DISCLOSED?
The identity of the reporting person may be disclosed only with this person’s explicit consent, or when such disclosure is necessary and proportionate under the Union or national law.
The reporting channel is required to ensure the protection of the confidentiality of the identity of the reporting person and of any third party mentioned in the report and to prevent access thereto by non-authorised staff members.
The identity of the reporting person may not be disclosed to anyone beyond the authorized staff without the explicit consent of this person, or when such disclosure is necessary and proportionate under the Union or national law. The reporting person needs to be informed of the latter prior to the disclosure unless such information would jeopardize the related investigations or judicial proceedings. The same duty of confidentiality also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced.
WHAT KIND OF REPORTING CHANNELS ARE REQUIRED?
The reporting channel should allow reporting in writing or orally or both. Every received report must be recorded. For reporting orally, the reporting person should be able to request a physical meeting with the staff members within a reasonable timeframe. The meeting may be documented either by making a recording of the conversation in a durable and retrievable form, or through accurate minutes of the meeting prepared by the staff members responsible for handling the report. The reporting person must be allowed the opportunity to check, rectify and agree the minutes of the meeting by signing them. Similar provisions apply for recording other oral reports submitted via telephone or other voice messaging systems.
The time period a report may be stored depends on what is required and proportionate to comply with the Directive or the Union law or national law.
WHAT PROCEDURES MUST BE DRAFTED?
legal entities need to establish procedures for internal reporting and their diligent follow-up. The information must be clear and easily accessible.
The procedures hence need to regulate the reporting itself, as well as any action that will be taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the reported breach, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure.
The information regarding the use of internal reporting channels and regarding the procedures for reporting externally to competent authorities are required to be clear and easily accessible.
WHO SHOULD HANDLE REPORTS AND WHAT QUALIFICATIONS ARE REQUIRED?
The reports can be handled internally or by a third-party provider. independence and absence of conflict of interest must be ensured. A person or a department is required to be designated for operating internal reporting channels.
The latter includes receiving the reports and maintaining communication with the reporting person, as well as asking for further information from and providing feedback to that reporting person. This task may be outsourced to third-party providers such as external counsel, external reporting-platform providers, law firms, auditors, employees‘ representatives and alike. Effective guarantees and safeguards in respect of independence, confidentiality, data protection and secrecy should be in place at the third-party service providers, as well. The follow-up on the report may be conducted by a designated, competent and impartial person or department. This person or department may be the same as the one operating the reporting channel. Who this person or department is, depends on the size and structure of each individual organization. However, the most appropriate person or department should have such function in the organization that ensures independence and absence of conflict of interest. Usually such tasks are performed by a chief compliance or an HR officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board. Private legal entities with 50 to 249 workers are allowed to share resources for receiving reports and for conducting any subsequent investigations.
WHEN AND WHAT IS REQUIRED TO BE COMMUNICATED TO REPORTING PERSON?
The reporting person needs to be informed of the receipt of the report within 7 days and provided feedback no later than after 3 months. The receipt of the report needs to be acknowledged to the reporting person within seven days of receiving the report. There is no exemption to this obligation, whereas when reporting externally the competent authority can omit such an acknowledgment when the reporting person explicitly requested so or where it reasonably believes that that would jeopardise the protection of the reporting person’s identity.
The internal procedures need to define a reasonable timeframe for providing feedback to the reporting person. This may not exceed three months from the acknowledgment of the receipt or the expiry of the abovementioned seven-day period.
The feedback is required to inform the reporting person of the action envisaged or taken as follow-up and of the grounds for such follow-up. If no appropriate action is taken within this time period, the reporting person may publicly disclose the breach and still qualify for the protection against retaliation under the Directive. Of course, the appropriateness of the follow-up is a legal standard and its assessment will depend on the circumstances of each case and of the nature of the rules that have been reported breached.
There is no defined time limit within which the followup actions by the entity need to have been completed. However, the longer they take the more likely it is that the actions, if any, will be considered inappropriate, hence motivating the reporting person to use external reporting channels or go public with the disclosure of the breach.
In contrast to external reporting there is no explicit obligation to communicate to the reporting person the final outcome of investigations triggered by the report.
Trusty is a compliance platform built by leading experts to support companies on their compliance journey. It offers free whistleblowing solutions for SMEs and a broad range of instant and affordable compliance management solutions. www.trusty.report
To use Trusty for your company free of charge, please fill out the following form. You will receive the link to your personal login and all further information from us shortly.